Privacy Policy

Our commitment to privacy within Havensrock

At Havensrock, a trading name of Howden Employee Benefits & Wellbeing Ltd (“HEBW”) (“we”, “us”, “our”), we regularly collect and use information which may identify individuals (“personal data”). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.

The purpose of this Privacy Notice is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to navigate to the information that may be most relevant to you.

Do read this Privacy Notice with care. It provides important information about how we use personal data and explains your legal rights. This Privacy Notice is not intended to override the terms of any terms of business agreement or other contract which you have with us or any rights you might have available under applicable data protection laws.

We may amend this Privacy Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this Privacy Notice so that you will always know what personal data we collect, how we use it, and with whom we share it.

This version of the Privacy Notice was published on the 12th August 2021

Who does this Privacy Notice relate to?

This Privacy Notice relates to the following types of individuals, where we hold your personal information:

There are types of individuals who this Privacy Notice does not relate to, for example our employees and sub-contractors (including prospective and former employees and sub-contractors). If you are one of these individuals and would like further information on how we collect, use and store your data, please contact us. Our contact details are shown in the “how you can contact us” section of this Privacy Notice.

1. WHO is responsible for looking after your personal data?

Havensrock is a trading name of Howden Employee Benefits & Wellbeing Limited (HEBW). HEBW is a subsidiary of Howden Broking Group Limited (“HBG”), which is part of the Howden Group, and is the Data Controller. We are registered in England under company number 02248238. Our registered office address is One Creechurch Place, London EC3A 5AF. We are regulated in the UK by the Financial Conduct Authority (FCA) under reference number 312841. We are registered with the Information Commissioner’s Office (ICO) under registration Z7272727.

2. WHAT personal data do we collect?

We collect your personal data and use it in different ways depending on your relationship with us and how you have interacted with us. Data we collect can include information we receive about you from third parties acting in their capacity as data controllers, and where they have established a lawful basis for providing us with that information. Depending on your relationship with us, we may hold the following types of personal data about you:

Some of our processes combine different sets of information we hold. This can include combining different data sets we have about you, or combining your information with that of other individuals.

Special Category Data

Certain types of information are known as “special category data” under data protection law, and receive additional protection due to their sensitivity, for example information that reveals your health or medical conditions, race or ethnicity, your political views or your religious beliefs. We will only collect this information where we have a legal basis for doing so, and where it is strictly necessary, such as:

3. What PURPOSES do we use your personal data for and what is our LEGAL BASIS?

We are required to establish a legal basis to use your personal data. We use your information for the following lawful reasons:

To enter into or perform a contract: for example to provide you with an insurance quotation, to start, change or cancel an insurance policy, to administer the policy, to manage any claims which arise, to answer any queries you may have, action your requests or perform any debt recovery;

Special Category Data

In some cases, insurers and other benefits providers may require information about your health and/or that of your dependants in order to consider an application to provide cover/benefits, or to make that cover/those benefits available to you/your dependants. The processing of special category data, such as health data, requires an additional legal basis to the grounds set out above. This additional legal basis will typically be:

PLEASE NOTE – Our lawful basis for processing your special categories of data will usually be that it is necessary for reasons of substantial public interest and subject to appropriate protections. In the limited circumstances where the benefits are not secured by insurance, and no other legal basis is available, the legal basis of our processing will be your explicit consent. Where necessary, documentation that you need to complete to provide that information will include a provision where you can indicate that consent. You may withdraw your consent to such processing at any time, however you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and it may not be possible for the insurance cover to continue), or continue to support you in administering a claim. This may also mean that your policy will need to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences.

4. Who do we SHARE your personal data with?

Where applicable, we share your personal data with the following types of third parties when we have a valid reason to do so;

We may also make your information available to other companies which are part of Howden Group Holdings, whom support us in providing our services to you. They may use this information for statistical analysis, business reporting or for external business development purposes for which they may receive remuneration, such as providing market insight to insurers on a confidential basis. We and they will only disclose your personal data to third parties outside of the Howden Group in accordance with Data Protection Law, or in an anonymised and/or aggregated format where necessary to support the purposes stated above. Finally, insurance involves the use and disclosure of your personal data by various insurance market participants. The Lloyd’s and London Insurance Market Core Uses Information Notice sets out how insurance market participants process your personal data during the insurance lifecycle. Please review this Notice as well as our Privacy Notice.

5. International Transfers

For business purposes, to help prevent/detect crime or where required by Law or Regulation, we may need to transfer, or allow access to, your personal data to parties based overseas. These parties include brokers, insurers, re-insurers, service providers, other Howden Group companies & law enforcement agencies. Where we do this, we will ensure that your information is transferred in accordance with the applicable Data Protection requirements.

If the Data Protection laws of the country where we transfer your data are not recognised as being equivalent to those in the UK, we will ensure that the recipient enters into a formal legal agreement that reflects the standards required.

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 9 of this Privacy Notice if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).

6. Automated Decision Making and Profiling

Please note we do not undertake any automated decision-making or profiling with your personal data.

7. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 3 of this Privacy Notice. In most cases this will be for seven (7) years following the end of our relationship with you however, in some circumstances we may retain your personal data for longer periods of time, for instance:

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business. You can request a copy by contacting us on the details shown in Section 9 of this Privacy Notice.

8. What are your rights?

Data protection law gives you rights relating to your personal data. This section gives you an overview of these and how they relate to the information you give us. The UK supervisory authority for data rights, the Information Commissioner’s Office (ICO), has also published detailed information about your rights on their website:

You have a right to request copies of the personal data we hold on you, along with meaningful information on how it is used and who we share it with. This right always applies, but there are some instances where we may not be able to provide you with all the information we hold. If this is the case, we will confirm why we are unable to provide it – unless there is a valid legal reason that means we cannot let you know why.

If personal data we hold is inaccurate or incomplete, and this has an impact on the way we are using your data, you have the right to have any inaccuracies corrected and for any incomplete data to be completed. If you ask us to rectify your personal data, we will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.

You have the right to request that your personal data is erased in certain circumstances. If you ask us to erase your personal data, we will either confirm to you that this has been done, or if we are unable to delete it, let you know why and also inform you how long we will hold it for. For more information, see Section 7 of this Privacy Notice.

You can ask us to restrict the use of your personal data in certain circumstances. If you ask us to restrict the use of your personal data, we will either confirm to you that this has been done, or if we are unable to restrict it, we will inform you why.

You can object to receiving direct marketing from us. You can do this by clicking on the unsubscribe link in any marketing email we send you, or by contacting We will ensure that you do not receive such material going forward, unless you change your mind and specifically request it in the future.

You can challenge the use of your personal data where we use a legitimate business interest as a legal basis to process your information. You can find more information on when we use this legal basis in section 3 of this Privacy Notice. If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.

You can object to us using your personal data for statistical purposes in some instances. If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.

In certain circumstances, you have the right to request that your personal data be compiled into a common, machine readable format and either provided directly to you or sent by us to a third-party you nominate. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.

If you are unhappy with how we have used your personal data or if you believe we have failed to fulfil your data rights, you have the right to complain to us, and can contact us to raise your concerns using the details shown in Section 9 of this Privacy Notice.

If you remain unhappy with our response you may raise a complaint with a supervisory authority responsible for data protection and privacy. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO), who can be contacted using the following details:

9. How you can contact us

We take data privacy seriously and your opinion matters to us. The primary point of contact for all issues arising from this Privacy Notice, including requests to exercise data subject rights, is our Data Protection Officer, Owen Davies, who can be contacted in the following ways:

If exercising a right, please also note the following: